From b98c72056a2b808b76a1b2dabf480cfd8babc5c3 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Sat, 29 Mar 2008 15:21:31 +0000 Subject: [PATCH] SEC-728: Change use of String.getBytes() in password encoders to use UTF-8 --- .../providers/encoding/Md4PasswordEncoder.java | 14 +++++++++++++- .../encoding/MessageDigestPasswordEncoder.java | 9 ++++++++- .../ldap/authenticator/LdapShaPasswordEncoder.java | 8 +++++--- 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/core/src/main/java/org/springframework/security/providers/encoding/Md4PasswordEncoder.java b/core/src/main/java/org/springframework/security/providers/encoding/Md4PasswordEncoder.java index c1b1fd1379..5888b83cb3 100644 --- a/core/src/main/java/org/springframework/security/providers/encoding/Md4PasswordEncoder.java +++ b/core/src/main/java/org/springframework/security/providers/encoding/Md4PasswordEncoder.java @@ -14,6 +14,8 @@ */ package org.springframework.security.providers.encoding; +import java.io.UnsupportedEncodingException; + import org.apache.commons.codec.binary.Base64; import org.apache.commons.codec.binary.Hex; @@ -43,8 +45,18 @@ public class Md4PasswordEncoder extends BaseDigestPasswordEncoder { */ public String encodePassword(String rawPass, Object salt) { String saltedPass = mergePasswordAndSalt(rawPass, salt, false); + + byte[] passBytes; + + try { + passBytes = saltedPass.getBytes("UTF-8"); + } catch (UnsupportedEncodingException e) { + throw new IllegalStateException("UTF-8 not supported!", e); + } + Md4 md4 = new Md4(); - md4.update(saltedPass.getBytes(), 0, saltedPass.length()); + md4.update(passBytes, 0, saltedPass.length()); + byte[] resBuf = md4.digest(); if (getEncodeHashAsBase64()) { diff --git a/core/src/main/java/org/springframework/security/providers/encoding/MessageDigestPasswordEncoder.java b/core/src/main/java/org/springframework/security/providers/encoding/MessageDigestPasswordEncoder.java index 35984bdc97..892b2f8ded 100644 --- a/core/src/main/java/org/springframework/security/providers/encoding/MessageDigestPasswordEncoder.java +++ b/core/src/main/java/org/springframework/security/providers/encoding/MessageDigestPasswordEncoder.java @@ -3,6 +3,7 @@ package org.springframework.security.providers.encoding; import org.apache.commons.codec.binary.Base64; import org.apache.commons.codec.binary.Hex; +import java.io.UnsupportedEncodingException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -72,7 +73,13 @@ public class MessageDigestPasswordEncoder extends BaseDigestPasswordEncoder { MessageDigest messageDigest = getMessageDigest(); - byte[] digest = messageDigest.digest(saltedPass.getBytes()); + byte[] digest; + + try { + digest = messageDigest.digest(saltedPass.getBytes("UTF-8")); + } catch (UnsupportedEncodingException e) { + throw new IllegalStateException("UTF-8 not supported!"); + } if (getEncodeHashAsBase64()) { return new String(Base64.encodeBase64(digest)); diff --git a/core/src/main/java/org/springframework/security/providers/ldap/authenticator/LdapShaPasswordEncoder.java b/core/src/main/java/org/springframework/security/providers/ldap/authenticator/LdapShaPasswordEncoder.java index 6556c58385..ef6f25445e 100644 --- a/core/src/main/java/org/springframework/security/providers/ldap/authenticator/LdapShaPasswordEncoder.java +++ b/core/src/main/java/org/springframework/security/providers/ldap/authenticator/LdapShaPasswordEncoder.java @@ -22,6 +22,7 @@ import org.apache.commons.codec.binary.Base64; import org.springframework.util.Assert; +import java.io.UnsupportedEncodingException; import java.security.MessageDigest; @@ -82,11 +83,12 @@ public class LdapShaPasswordEncoder implements PasswordEncoder { try { sha = MessageDigest.getInstance("SHA"); + sha.update(rawPass.getBytes("UTF-8")); } catch (java.security.NoSuchAlgorithmException e) { throw new IllegalStateException("No SHA implementation available!", e); - } - - sha.update(rawPass.getBytes()); + } catch (UnsupportedEncodingException ue) { + throw new IllegalStateException("UTF-8 not supported!", ue); + } if (salt != null) { Assert.isInstanceOf(byte[].class, salt, "Salt value must be a byte array");